Denial of service attacks have been going up rapidly as low cost bandwidth becomes more readily available to more people, and the potential for a successful denial of service attack causing disruption has been increasing. In the past, more computing power could simply be added to a session border controller, e.g., to successfully filter out the hostile attack packets, via processing intensive authentication, decryption, and/or validation operations, thus allowing the valid packets to be passed without significant disruption. However, computing power is not keeping pace with the increased level of attack activity, and new approaches are needed to avoid denial of service disruptions. In addition, adding computing power, which is only needed at times of a denial of service attack, can be costly.
Providing confidentiality and/or authentication of media streams, e.g. Real-Time Transport Protocol (RTP) streams, e.g., using Secure RTP (sRTP) and/or other secure protocols which use encryption and/or other security measures, tends to be several times as costly in terms of processor power that is required than basic media stream processing, e.g. basic RTP processing. This is because decrypting and/or encrypting are processor intensive operations as compared to reading and processing unencrypted data.
The relatively high amount of processing power required to decrypt encrypted or otherwise secured packet content introduces a fundamental mismatch when designing DOS-resistant media processing. In addition, many security protocols have an authentication operation in addition to the decrypt operation, and the authentication operation can also be computationally intensive and/or introduce time delays. To fully protect against DOS, the session border controller (SBC) must be able to differentiate good packets from bad packets at line rate. For sRTP packets, the cost of this is several times the cost of doing this for non-sRTP packets. Consequently, if a design incorporates sufficient power to completely decode sRTP at line rate it is likely that such a system will waste significant processing power when not under attack.
In view of the above, there is a need for new methods and apparatus for supporting Secure Real-Time Transport Protocol (sRTP) and Secure Real-Time Transport Control Protocol (sRTCP), and/or other secure protocols with denial of service resistance but preferably without requiring authenticating, decrypting and/or decoding of all packets that are received.